Reading Notebook: 17-July-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Windows objects (incl. desktop, menu, window) vs. native Windows objects (p. 23)
Unicode and ANSI entry points (pp. 23 - 24) - example from a dump file:
0: kd> x kernel32!*
[...]
77e64849 kernel32!CreateFileW = <no type information>
[...]
77e41a63 kernel32!CreateFileA = <no type information>
[...]
0: kd> .asm no_code_bytes
Assembly options: no_code_bytes
0: kd> uf kernel32!CreateFileA
kernel32!CreateFileA:
77e41a63 mov edi,edi
77e41a65 push ebp
77e41a66 mov ebp,esp
77e41a68 push dword ptr [ebp+8]
77e41a6b call kernel32!Basep8BitStringToStaticUnicodeString (77e64c27)
77e41a70 test eax,eax
77e41a72 je kernel32!CreateFileA+0x11 (77e41a92)
kernel32!CreateFileA+0x16:
77e41a74 push dword ptr [ebp+20h]
77e41a77 push dword ptr [ebp+1Ch]
77e41a7a push dword ptr [ebp+18h]
77e41a7d push dword ptr [ebp+14h]
77e41a80 push dword ptr [ebp+10h]
77e41a83 push dword ptr [ebp+0Ch]
77e41a86 push dword ptr [eax+4]
77e41a89 call kernel32!CreateFileW (77e64849)
kernel32!CreateFileA+0x30:
77e41a8e pop ebp
77e41a8f ret 1Ch
kernel32!CreateFileA+0x11:
77e41a92 or eax,0FFFFFFFFh
77e41a95 jmp kernel32!CreateFileA+0x30 (77e41a8e)
Average CPU usage and Disk per-file I/O columns in Resource Monitor (p. 25)
Detecting background network activity in RM (p. 26)
Kernel debugging setup (pp. 26 - 31) - an alternative for study is to use kernel and complete memory dump files
Syser Debugger (www.sysersoft.com) - I give a try later (never used)
Symbols (pp. 26 - 27) - quick download links and symbol paths (including Citrix symbol server) are on www.windbg.org. If you don’t have correct symbols you might get these errors:
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ntdll.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\USER32.dll -
Invasive debugging - DebugActiveProcess / Noninvasive - OpenProcess (p. 27)
Live debugging (p. 28) - we can also use XenServer for it. You can also learn debugging basics from my book Windows Debugging: Practical Foundations
Inconsistency of dumps generated by LiveKd (pp. 30 - 31) - nevertheless I found it useful to list all processes and threads via !process 0 ff command and search for patterns like LPC wait chains and various anomalies from normal stack traces
Windows Driver Kit (pp. 31 - 32) - additional resources like books can be found in my post Moving to kernel space (updated references). I plan to add a few books there soon.
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
